Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Today’s SMB cyber brief: supply‑chain packages stealing credentials + web service compromise risk

What small and medium-sized businesses should look out for today.

High Monday 25 May 2026, 21:50 UK time
Today’s look-out: Supplier / software supply-chain credential theft and account takeover

What to look out for today

Be extra cautious about software and add-ons pulled from public package repositories (e.g., npm, PyPI, Crates.io). Reporting describes a coordinated campaign (“TrapDoor”) using multiple malicious packages to steal credentials.

Also note a separate incident write-up where a web-based learning platform was compromised due to shared, identical keys across customer deployments, enabling attackers to take over a server and then attempt to infect visitors.

Why this matters to smaller businesses

  • Credential theft is an SME pain multiplier: once attackers have logins, they can access email, cloud storage, accounting, payroll, and customer data.
  • Supply-chain risk bypasses “we’re too small to target” thinking: attackers aim at tools and dependencies used by many organisations, including SMEs and the IT providers who support them.
  • Ripple effects: a compromised website or portal can be used to spread malware to staff, volunteers, students, or customers who simply visit it.

Warning signs

  • Unplanned password reset emails, MFA prompts, or sign-in notifications for Microsoft 365 / Google / accounting platforms.
  • New email inbox rules, unexpected forwarding, or “sent items” you don’t recognise.
  • New “integration”, “app”, or API token created in cloud services without a clear business request.
  • Unexpected changes in websites/portals (new scripts, redirects, strange pop-ups), or staff reporting security warnings when visiting your site.
  • Finance team receiving unusual supplier bank detail changes or urgent payment requests shortly after an account alert.

How attackers may exploit the situation

  • Poisoned dependencies: malicious packages can be accidentally pulled into internal tools, websites, or automations, then steal credentials used to deploy or administer systems.
  • Cloud account takeover: stolen credentials may be used to access email and cloud files, impersonate staff, and target customers/suppliers with convincing invoices.
  • Compromised web services: if a supplier product is deployed insecurely (e.g., shared keys reused across customers), attackers may compromise one instance and use it as a platform to infect visitors or harvest logins.

What to do today

  • Reinforce login hygiene: ensure MFA is on for email, accounting, payroll, and admin accounts; remove any unused accounts and old third-party app access.
  • Quick check of cloud audit logs: look for new OAuth/app consents, new inbox rules/forwarding, and unusual sign-ins (new locations/devices).
  • Remind staff about payment change controls: any bank detail change must be verified via a known phone number, not via email reply.
  • If you build software or have a web agency: pause “quick updates” from public package repos until dependencies are reviewed; prefer pinned versions and approved sources.

Ask your IT provider

  • Do we have alerts for new email forwarding/inbox rules and new third-party OAuth app consents in our cloud tenants?
  • What is our process to approve and track third-party integrations (accounting, CRM, marketing, website plugins)?
  • Do we maintain an inventory of the key web apps/portals we run (including hosted LMS/portals), and who is responsible for security configuration?
  • If we use developers/agencies: what controls exist for dependency management (review, pinning, scanning) before code is deployed?

Patch watch - only one short paragraph, and only if relevant

A reported incident involved a Learning Management System compromise linked to a ViewState deserialization issue (CVE-2026-5426) and the reuse of identical pre-shared keys across deployments. If you run niche web platforms (including LMS/portals), ask your supplier/IT provider to confirm you are not using shared default keys and that your instance is on a supported, secured configuration.

One action today

Today, have your IT provider check for new email forwarding/inbox rules and newly-approved third‑party app (OAuth) access in your Microsoft 365/Google tenant, then remove anything not explicitly approved.

Related Actions On Cyber resource

Actions On Cyber checklist: “Email account takeover quick checks (M365/Google) + stopping invoice/payment diversion scams”

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.